Director of Security & IT

About The Position

Requirements

• 10+ years of experience in security, IT infrastructure, and compliance, with at least 3 years owning a security function in a leadership capacity.
• Experience at a scaling software or AI company (50-1,000 employees) with exposure to the tradeoffs of building security programs with constrained resources.
• Proven depth in HIPAA compliance, healthcare data protection, and SOC 2 Type II audits.
• Strong understanding of cloud security architecture (AWS), network security, container security, and production access patterns.
• Experience building or significantly maturing security and compliance programs, not solely operating existing ones.
• Demonstrated ability to operate cross-functionally with Engineering, Legal, Finance, and People teams, turning ambiguity into structured execution.
• Strong program execution skills with a track record of driving multi-quarter initiatives across security, compliance, disaster recovery, access management, and vendor risk.
• Sound judgment in high-trust environments involving sensitive systems, company risk, customer data, and internal operations.
• Strong people leadership with experience managing technical teams, setting expectations, and creating accountability.
• Ability and willingness to go deep in a hands-on way where needed and delegate to the team where appropriate.
• Experience in healthcare, benefits, fintech, or another regulated environment where data sensitivity and compliance requirements are material.

Nice To Haves

• Relevant certifications: CISSP, CISM, CCSP, AWS Certified Solutions Architect, or similar. SOC 2 and HIPAA-specific credentials are highly desirable.
• Hands-on technical capability to engage in architecture discussions, evaluate operational tradeoffs, and assess technical risk directly when needed.
• A bias toward simplicity and prioritization across a broad surface area, focusing effort on what materially reduces risk and improves reliability.

Responsibilities

• Lead the design, implementation, and continuous improvement of a comprehensive security program spanning application security, infrastructure security, data protection, and incident response.
• Implement and manage vulnerability assessments, penetration testing, and security audits to identify and mitigate risks across IT infrastructure and systems.
• Develop and maintain security policies, procedures, and controls aligned to SOC 2 Type II and HIPAA Security Rule requirements.
• Coordinate response to security incidents, including root cause analysis, containment, remediation, and legal reporting requirements.
• Own identity and access management (IAM) strategy, ensuring least-privilege access controls across production systems, cloud environments, and internal tools.
• Implement encryption, access control, audit logging, and other technical safeguards to meet HIPAA security requirements for data at rest, in transit, and during processing.
• Own SOC 2 Type II compliance initiatives, including audit preparation, controls documentation, evidence collection, and remediation of findings.
• Ensure compliance with HIPAA Privacy and Security Rules across Nayya's handling of PHI, including technical safeguards and organizational policies.
• Develop and maintain a risk management framework that identifies, evaluates, and prioritizes security and compliance risks, ensuring alignment with applicable regulations.
• Conduct regular risk assessments and vulnerability scans to proactively address potential compliance gaps.
• Prepare for and manage regulatory audits, customer security assessments, and external inspections related to data security and privacy.
• Stay current on emerging trends in healthcare data privacy regulations (HIPAA, HITECH, state-level requirements) and assess their impact on company policies and procedures.
• Oversee day-to-day IT operations, ensuring all systems, networks, and applications function effectively and securely with minimal downtime.
• Lead the internal IT help desk function, ensuring timely resolution of technical issues with clear escalation protocols and service level agreements (SLAs).
• Monitor help desk performance metrics and implement improvements based on organizational needs.
• Manage IT asset lifecycle, including procurement, tracking, maintenance, and compliance with company policies.
• Ensure effective onboarding and offboarding processes for IT systems, with a focus on security awareness and HIPAA compliance training.
• Evaluate and manage relationships with cloud providers, vendors, and third-party services to ensure they meet HIPAA and SOC 2 security and privacy requirements.
• Conduct due diligence and security assessments of third-party vendors, ensuring alignment with Nayya's data protection and compliance standards.
• Negotiate and manage contracts and SLAs to ensure third-party vendors meet security, compliance, and privacy expectations.
• Partner closely with the VP of Engineering on cloud security, infrastructure hardening, disaster recovery, and production access controls.
• Work with Legal, Finance, and People teams to ensure security and data privacy strategies align with business operations and legal obligations.
• Serve as the primary security and compliance liaison for enterprise customers, partners, and prospects during due diligence and procurement processes.
• Act as a strategic advisor to senior leadership on security investments, balancing risk mitigation against operational constraints and business priorities.
• Provide regular reports to the executive team on the status of security initiatives, compliance posture, and audit results.
• Lead, mentor, and develop a team of security, IT, and compliance professionals.
• Foster a culture of continuous improvement to stay ahead of cybersecurity threats and regulatory changes.
• Provide training to team members and the broader organization on security best practices, with emphasis on HIPAA compliance and PHI protection.